Hacking a Web Server : Rooting A Linux Server

This is the third article in server hacking series. I hope you guys enjoyed last two articles. If you are new to this series I suggest you read last two articles too. Link to the Series In the last article, we were able to upload a PHP shell on the server. In this article, we will try to root the server.

I hope you know about root user on Linux server. For those who don't know what root is, Root is a super user on Linux server which has all the permission to all files and functions in the server.

Things we need

A Linux Hacking Distro.

A vulnerable server.

Identifying the kernel version

This is the first step of rooting the server.

In this step, we try to find out the kernel version and year.

To do that you have to visit your PHP web shell and look at uname.

In my example, uname shows Kernal version 3.13.0-32 and year is 2014.

In you are using tools like Weevely, you have to type uname -a to get the kernel version and year.

Finding Exploit for kernel

After finding the kernel version, we need to find exploit for this kernel.

We will use Exploit-DB to find the kernel exploit.

Just open Exploit-db.com and click on search and enter the version number.

Now open any exploit available for that kernel.

Download the exploit code.

Rooting the server

After downloading the exploit, upload the exploit to the server using upload function in PHP web shell.

Now we have to use Netcat to create a connection between our computer and the server PHP shell.

Open terminal and type the following commands and leave the terminal open.

nc -n -l -v -p 31337

In this step, we are going to connect our PHP web shell to the Netcat using back connect option in our PHP web shell.

After successful connection, we will get a command shell on the server or we can say terminal interface on the server.

Now we have to change the directory where the kernel exploit is uploaded.

After that, we type the following commands to compile the exploit. Here exp.c is exploit file and exp is output file.

gcc exp.c -o exp

After compiling the exploit, now we have to run it.Type the following commands to run the exploit.

./exp

After running the exploit, you can check the root status using "id" command.